Evidence Handling and Chain of Custody
Key Takeaways
- Digital evidence must be identified, collected, preserved, analyzed, and reported in a defensible manner.
- Chain of custody documents who handled evidence, when, where, why, and how it was protected.
- Hashing verifies that forensic copies have not changed after acquisition.
- Responders should collect evidence in a way that minimizes alteration and preserves admissibility where needed.
- Evidence handling must follow organizational policy, legal direction, and the incident objective.
Evidence Handling and Chain of Custody
Digital forensics applies structured investigation methods to electronic evidence. In Security+ scenarios, the best answer often protects evidence before analysis. Evidence that is changed, undocumented, or handled casually may lose value, even if it contains useful technical facts.
Evidence Handling Process
| Step | Purpose | Example |
|---|---|---|
| Identify | Determine what may contain evidence | Laptop, phone, cloud audit logs, firewall logs |
| Collect | Acquire evidence using approved methods | Disk image, memory capture, log export |
| Preserve | Protect evidence from change | Write blocker, evidence bag, access control, secure storage |
| Analyze | Examine copies, not originals when possible | Review image, parse logs, inspect artifacts |
| Report | Explain findings and limits | Timeline, methods, hashes, conclusions |
Chain of Custody
Chain of custody is the documented history of evidence handling. It should show who had the evidence, when they received it, where it was stored, what they did with it, and when they transferred it.
| Field | Example |
|---|---|
| Evidence ID | E-2026-0429-003 |
| Description | Dell laptop assigned to user mlee, serial 7XQ914 |
| Collected by | J. Patel |
| Date and time | 2026-04-29 14:22 PDT |
| Location | Finance office, desk 18 |
| Condition | Powered on, screen locked, connected to dock |
| Action | Photographed, volatile data captured, disk image acquired |
| Hash | SHA-256 of forensic image recorded |
| Transfer | Released to evidence locker custodian at 16:10 PDT |
Hashing and Integrity
A hash is a fixed-length value calculated from data. If a forensic image changes, the hash changes. Investigators commonly record hashes when acquiring evidence and verify them later before analysis or reporting.
Example evidence note:
Evidence ID: E-2026-0429-003
Source: laptop internal SSD
Acquisition: forensic image using approved tool
Source hash: 5f2a...b81c
Image hash: 5f2a...b81c
Verification: matched at acquisition and before analysis
The exact algorithm may depend on policy and tooling, but the purpose is the same: demonstrate integrity.
Original Scenario
A finance analyst reports that spreadsheets were changed without approval. Security suspects the analyst workstation and a cloud file repository. The responder photographs the desk setup, records the laptop state, captures volatile data because the machine is running, exports cloud access logs, and then creates a forensic image of the drive. The original laptop is secured. Analysis is performed on verified copies.
Common Traps
- Analyzing the original drive directly when a forensic copy is possible.
- Forgetting to document who transferred the evidence.
- Failing to hash the image before analysis.
- Powering off a running system without considering volatile evidence.
- Mixing evidence from different cases without clear labels.
- Leaving evidence in an unlocked desk drawer or personal cloud folder.
Exam Focus
For SY0-701, chain of custody is about accountability and integrity. If a question asks how to preserve evidence, choose the action that documents handling, prevents unauthorized change, and supports repeatable analysis.
What is the main purpose of chain of custody?
Why is a hash recorded for a forensic image?
Which items belong in a chain of custody record? Select three.
Select all that apply